{ pkgs, config, ... }:
{
  services.forgejo = {
    enable = true;
    settings = {
      server = {
        DOMAIN = "git.4o1x5.dev";
        ROOT_URL = "https://git.${config.networking.domain}/";
        DISABLE_REGISTRATION = true;
        DISABLE_SSH = true;
      };
      DEFAULT.APP_NAME = "2005's git server";
      actions.ENABLED = true;
    };
    database = {
      type = "postgres";
      createDatabase = true;
    };
  };

  services.nginx = {
    virtualHosts = {
      "git.${config.networking.domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = " http://127.0.0.1:3000";
        };
      };
    };
  };

  services.gitea-actions-runner.instances = {
    root = {
      enable = true;
      url = "https://git.${config.networking.domain}";
      tokenFile = config.age.secrets.forgejo-runner.path;
      settings = {
        container = {
          # TODO fix: networking
          # instead of using host, create a subnet that cannot contat other server on my network to avoid being haxxed
          network = "host";
        };
      };
      labels = [
        "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"

      ];
      name = config.networking.domain;
    };
  };
}